CVE-2015-8258
published 2017-04-10CVE-2015-8258: AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor…
PriorityP357high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
8.76%
94.5th percentile
AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| axis | axis_communications_firmware | <= 5.80.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to /view/view.shtml containing an 'imagePath' parameter with an external URL (http/https scheme pointing off-device), which indicates resource injection via the imagePath parameter. ↗
- →Alert on access to the Open Script Editor path ('System Options' -> 'Advanced' -> 'Scripting') from unexpected or external source IPs, as it allows editing any file as root. ↗
- →Detect AXIS device login attempts using default credentials, as exploitation of the Open Script Editor requires admin authentication which is trivially obtained on devices with default passwords. ↗
- ·The resource injection vulnerability was reportedly fixed in firmware 5.60, but was confirmed still present in 5.80.x across various product models — do not assume patched status based solely on version 5.60+. ↗
- ·The Open Script Editor is restricted to authenticated admins, but weak/default password policies mean this is not an effective barrier in practice. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:C/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-04-10
Published